If mobile phone users use a VPN, they usually try to make sure they keep as much information private as possible. But a recent report revealed that iOS 16 VPN tunnels leak data even when iOS 16 Lockdown mode is enabled.
Table of Contents
What is iOS 16 VPN Tunnels Leak Data?
Typically, when a VPN is activated, the operating system shuts down all existing Internet connections and re-establishes them through a VPN tunnel. Running a VPN on an iPhone or iPad should also protect your Internet traffic and visible IP address from interception. However, some users reported that they had experienced iOS 16 VPN tunnels leak data. The study found that in iOS, sessions and connections established before the VPN is opened are not terminated, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.
The reason is that inherent flaws in Apple’s mobile operating system can lead to data leaks in some situations. While these leaks require a specific set of circumstances, iOS enables:
- Operations that started before the VPN is activated to continue sending data outside the VPN tunnel
- Third-party applications to bypass the VPN and check users’ real mobile network IP addresses
- Apple to bypasses the VPN entirely with its own service
These iOS data leaks are the result of how iOS handles Internet connections. The main issue is that iOS determines the default gateway for data transfer, not the consumer VPN service.
iOS 16 VPN Tunnels Leak Data even When Lockdown Mode is Enabled
In an interview with MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16 handles VPN traffic the same way whether the Lockdown mode is enabled or not. That matters because there is a persistent, unsolved problem for the iOS system, which will leak data outside of an active VPN connection.
An iOS VPN bypass was discovered in iOS 13.3.1, at which time Apple said they would add the Kill Switch feature in a future software update to block all existing connections if a VPN tunnel is lost. But it doesn’t seem to prevent iOS 16 VPN tunnels leak data.
On October 11, Tommy Mysk shared the results of his own tests using ProtonVPN and Wireshark, a tool that intercepts and analyzes network traffic. He found that DNS requests from certain Apple apps on iOS 16 ignored the VPN when communicating with Apple servers. Apple apps that leaked data include Apple Store, Clips, Files, Find My, Health, Maps, Settings and Wallet. Most of these apps, like Health, handle users’ private information.
Mysk and Bakry also found that the exact same iOS 16 problems persisted whether the Lockdown mode is enabled or not, especially with notifications on push. Therefore, Internet service providers, governments, and other organizations may be able to identify users with high traffic, potentially highlighting influential individuals.
The Lockdown mode in iOS 16 is designed as an optional security feature to protect a “very small number” of users who may be at risk of “highly targeted cyber attacks” from private companies developing state-sponsored spyware, such as journalists, activists and government employees. It does not enable the VPN itself and relies on the same third-party VPN applications as the rest of the system.
Please note that Apple only lists advanced features that are activated when the Lockdown mode is enabled, and doesn’t explicitly mention any changes that affect VPN traffic. Still, since it is an extreme protection measure, it seems a considerable oversight that VPN traffic is a vulnerable point.
3 Types of iOS VPN Data Leaks and Corresponding Fixes
There are three different types of iOS VPN data leaks that can occur under certain circumstances. Here are some temporary fixes for VPN users to mitigate this problem in the short term.
1. Long-standing Connection Leaks
Long-standing connections can continue to send data even after a VPN tunnel is created. This occurs primarily in services that require operations to be initiated before the tunnel is created, such as downloads.
How to fix it:
The reason for this leak in iOS comes from actions that occur before and during the establishment of a VPN connection, so you can simply prevent your device from making a connection until the VPN is established. Make sure to turn on your VPN before doing anything online. Then restart all ongoing connections. You can perform the following steps:
- Connect to the VPN
- Enable Airplane mode
- Disable Airplane mode
2. Apple Traffic is VPN-exempt
Apple services on iOS can bypass the VPN completely. Please kindly note that only Apple’s traffic travels outside the VPN, and that includes app updates, emails, and push notifications.
How to fix it:
Unfortunately, in most cases, there is no 100% solution for this type of iOS data leak.
This level of encryption prevents any traffic leakage, including Apple’s, if it can be connected to a VPN router. However, this requires a quite desirable setup and is not achievable for most individuals or situations.
Devices issued by employers and equipped with a Mobile Device Management (MDM) “Always-on VPN” capabilities can also avoid such leaks. But keep in mind that only enterprise solutions can access to this functionality. This can’t be implemented by consumers or extended by VPN providers in future app updates.
3. Mobile IP Leaks to Third-party Apps
Any third-party app can send data over the mobile network, meaning that any outside iOS developer can get a user’s real mobile IP address, bypassing the VPN entirely. Moreover, any application that takes advantage of this can only affect its own data. As a result, iOS developers can only access your real mobile IP address when you are using their app.
How to fix it:
Disable your mobile network before securing your Wi-Fi connection with a VPN. But unless you’re already at home or connected to a Wi-Fi hotspot, this may not be an option.
If you rely on your mobile network when using VPN on your iPhone, there is no way to resolve this leak. This is why you must only install applications that you trust.
While the iOS 16 VPN tunnels data leaks issue is annoyed, the VPN can still enhance the privacy and security of your online data. You are more likely to have a more secure experience with a VPN than without one.